USN-2247-1: OpenStack Nova vulnerabilities

Ubuntu Security Notice USN-2247-1

nova vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Ubuntu 13.10

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenStack Nova.

Software description

nova
- OpenStack Compute cloud infrastructure

Details

Darragh O'Reilly discovered that the Ubuntu packaging for OpenStack Novadid not properly set up its sudo configuration. If a different flaw wasfound in OpenStack Nova, this vulnerability could be used to escalateprivileges. This issue only affected Ubuntu 13.10 and Ubuntu 14.04 LTS.(CVE-2013-1068)

Bernhard M. Wiedemann and Pedraig Brady discovered that OpenStack Nova didnot properly verify the virtual size of a QCOW2 images. A remoteauthenticated attacker could exploit this to create a denial of service viadisk consumption. This issue did not affect Ubuntu 14.04 LTS.(CVE-2013-4463, CVE-2013-4469)

JuanFra Rodriguez Cardoso discovered that OpenStack Nova did not enforceSSL connections when Nova was configured to use QPid and qpid_protocol isset to 'ssl'. If a remote attacker were able to perform a man-in-the-middleattack, this flaw could be exploited to view sensitive information. Ubuntudoes not use QPid with Nova by default. This issue did not affect Ubuntu14.04 LTS. (CVE-2013-6491)

Loganathan Parthipan discovered that OpenStack Nova did not properly createexpected files during KVM live block migration. A remote authenticatedattacker could exploit this to obtain root disk snapshot contents viaephemeral storage. This issue did not affect Ubuntu 14.04 LTS.(CVE-2013-7130)

Stanislaw Pitucha discovered that OpenStack Nova did not enforce the imageformat when rescuing an instance. A remote authenticated attacker couldexploit this to read host files. In the default installation, attackerswould be isolated by the libvirt guest AppArmor profile. This issue onlyaffected Ubuntu 13.10. (CVE-2014-0134)

Mark Heckmann discovered that OpenStack Nova did not enforce RBAC policywhen adding security group rules via the EC2 API. A remote authenticateduser could exploit this to gain unintended access to this API. This issueonly affected Ubuntu 13.10. (CVE-2014-0167)

Update instructions

The problem can be corrected by updating your system to the following
package version: